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III. Status of the Claims 

This application was filed with 21 claims. Claims 10 and 16 were cancelled in a response to 
the PTO mailed February 28, 2003. The Final Office Action dated May 21, 2003, rejected the 
remaining claims, i.e., claims 1 through 9, 1 1 through 15, and 17 through 21, and these claims are at 
issue in this appeal. 

IV. Status of Amendments 

No amendment was filed in response to the Final Office Action and, thus, there is no 
outstanding amendment in this application. 

V. Summary of the Invention 

When a user wishes to access resources provided by a computing system, the present 
invention allows the user to use his voice to authenticate himself to the computing system. See the 
application, page 5, lines 6-7. In a communications environment with transmission links that 
support both voice and data messages (in the present application, these links are called "dual- 
access" or "converged"), the user vocally responds to one or more challenges posed by the 
computing system. See id. at page 2, lines 7-14; id. at page 5, lines 6-7. The user's spoken responses 
are then sent to a speaker recognition-based authentication facility that compares those responses to 
one or more stored voice samples previously provided by the user during an enrollment procedure. 
See id. at page 5, lines 10-11. If the spoken responses are sufficiently close to the stored voice 
samples, then the user is authenticated to the computing system as a domain user or is logged onto 
the local system. See id. at page 5, lines 11-13. Once authenticated, an application proxy for the user 
is created, and the application proxy acts on behalf of the authenticated user. See id. at page 5, lines 
15-16. Voice-based authentication allows the user to log in to the computing system without the aid 
of a keyboard, smart card, or such. See id. at page 5, lines 13-14. 

The set of challenges changes each time the computing system is accessed in order to 
prevent a non-user from playing back responses previously recorded by a legitimate user. See id. at 
page 5, lines 7-10; id. at page 17, lines 15-17; id. at page 30, line 29, through page 31, line 2. To 
provide even greater security, the dual-access links allow this voice-authentication system to be 
combined with traditional text-based challenges and responses (e.g., "type in your user name and 
password"). See id. at page 29, lines 13-14; id. at page 30, lines 13-20. 

A typical communications environment in which the present invention can be practiced is 
presented in Figure 2 of the application, reproduced below, and the accompanying text. 
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FIG. 2 



The converged computing/communications environment of Figure 2 includes a local 
network 112. See the application, page 10, lines 18-19. In the local network 112, analog voice, IP 
voice, e-mail, instant messaging, video, fax, IP fax, and data calls are blended together and passed 
through a routing/rules engine within a network server 114. See id, at page 10, lines 19-21. (Here, 
"data calls" are calls that do not use audible speech commands, while "voice calls" involve spoken 
commands and information. See id. at page 14, lines 18-20. Data calls include, by way of example, 
Internet multimedia, video, fax, IP telephony, e-mail, web forms, and web events. See id, at page 14, 
lines 20-21.) A "converged" communications link 1 16 connects the network server 1 14 to a WAN 
110. See id, at page 10, lines 21-22. The converged communications link 116 supports both voice 
and data communications between the local network 112 and the WAN 110. See id, at page 10, 
lines 23-24. While only a single link 116 is shown in Figure 2 for the network server 114, the 
network server 114 also includes standard telephony interfaces which the network server 1 14 uses 
when communicating over the Public Switched Telephony Network. See id, at page 10, lines 24-27. 

Figure 8 of the application, reproduced below, and the accompanying text present details of 
embodiments of the methods of the present invention. 
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The method of Figure 8 begins in step 600 when a user requesting authentication calls into a 
communications server. See id. at page 17, lines 10-11; id. at page 30, lines 9-10. The user can call 
from any telephone or other terminal device having a suitable voice signal transducer, including, for 
example, an ordinary telephone, a cellular phone, or a personal computer with a microphone input. 
See id. at page 17, lines 11-13, 27-19; id. at page 28, line 21, through page 29, line 1. The call is 
forwarded to a voice-print application in step 602. See id. at page 30, lines 9-12. In step 604, the 
voice-print application invokes operations within the communications server to prompt the user to 
identify himself See id. at page 30, lines 13-16. (Preferably the prompt is audible, but it can be text 
if the user's calling device has a text interface as is available on personal computers and some 
phones today. See id. at page 30, lines 14-15.) Next, during step 606 the communications server 
receives the user's identification which can be in the form of a sequence of touch tones or can be 
spoken words. See id. at page 30, lines 16-18. The response is converted to an alphanumeric 
sequence that is used to find an entry corresponding to the user within a voice-print authentication 
database. See id. at page 29, lines 5-9; id. at page 30, lines 18-20. Assuming that a corresponding 
entry is located within the database, control passes to step 608. See id. at page 30, lines 20-21 . 

In step 608, the voice-print application variably selects a challenge from a voice-print key 
field in the voice-print authentication database and presents the challenge to the user. See id. at page 
29, lines 10-12, 18-25; id. at page 30, lines 22-23; id. at page 31, lines 4-5. It is important that the 
challenge be varied so that there is a low likelihood that a particular challenge will be repeated. See 
id. at page 17, lines 15-17; id. at page 29, lines 26-30; id. at page 30, lines 29-30. In this manner, the 
voice-print application provides assurance that expected user responses will be unique and reduces 
the system's vulnerability to imposter attacks. See id. at page 31, lines 1-2. To create the desired 
variability, the challenge can be a request to repeat a word, a phrase, a sequence of numbers, or can 
involve some combination of requests. See id. at page 30, lines 23-24. For example, the challenge 
can be a request to speak a word plus today's date. See id. at page 30, lines 24-27. In this example, it 
is reasonable to expect that the combination of words and phrases in the user's response will be 
unique every time an authorized user logs onto the system. See id. at page 30, lines 27-29. 
Alternatively, the challenge can comprise questions from a set of personal questions answered by 
the user during a secure registration process. See id. at page 31, lines 2-4. 

Next, in step 610 the voice-print application receives the user's vocal response to the 
challenge and compares that response with a pre-stored reference response in step 612. See id. at 
page 31, lines 6-9. If the user's response comes within an acceptable range of similarity to the pre- 
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stored reference response, then the user is considered authentic, and control passes to step 614. See 
id. at page 3 1 , lines 9-11. 

In step 614, the voice-print application creates a virtual user desktop for the authenticated 
user and logs into a network domain with credentials cached for this user. See id. at page 31, lines 
12-14. A Microsoft Terminal Server can be used for the virtual desktop and can operate on behalf of 
the user. See id. at page 31, lines 14-15. The voice-print application retrieves the contents of a 
network identification/password field from the voice-print authentication database, and a logon 
proxy submits a logon request via a password notification message to a connected domain 
controller. See id. at page 29, lines 13-14; id. at page 31, lines 15-18. Thereafter, the voice-print 
application creates an application proxy that holds the credentials for the authenticated user. See id. 
at page 31, lines 19-20. In a network environment, the application proxy has all the credentials of 
the user as if the user had logged in locally via a personal computer or remotely via a remote access 
server. See id. at page 31, lines 20-22. 

If at step 612, the voice-print application determines that the user's vocal response is not 
sufficiently similar to the pre-stored reference response, then the user's logon request is rejected. 
See id. at page 32, lines 6-9. Alternatively, the user is allowed multiple attempts to logon. See id. at 
page 32, lines 9-14. Because the user can be using any of a variety of voice devices over any of a 
variety of communications media, it is important that the user's vocal logon attempt not be rejected 
merely because a different voice transducer or a bad connection creates differences between a 
training sequence and a challenge response. See id. at page 17, line 29, through page 18, line 3. 
Preferably, sufficiently robust voice-match procedures, known to those skilled in the art of voice- 
based, user-identity verification, are performed during the comparison operation to reliably generate 
a positive match result when a legitimate user accesses the voice-print application. See id. at page 
18, lines 3-6. Fail-safe authentication procedures can provide fallback mechanisms for instances 
where a user is improperly rejected due to changes in the user's voice because of a cold or a poor 
phone connection. See id. at page 1 8, lines 6-9. 

VI. Issues on Appeal 

There are two issues on appeal. 

(1) Whether claims 1 through 9, 1 1 through 13, and 21 are unpatentable under 35 U.S.C. 
§ 103(a) as obvious over the combination of U.S. Patents 6,161,090 ("Kanevsky") 
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and 5,604,786 ("Engelke"). Specifically, the issue is whether this combination 
teaches all of the elements of these claims. 

(2) Whether claims 14, 15, and 17 through 20 are unpatentable under 35 U.S.C. § 103(a) 
as obvious over the combination of Kanevsky and Engelke. Specifically, the issue is 
whether this combination teaches all of the elements of these claims. 

VII. Grouping of the Claims 

Applicant respectfully submits that the claims pending in this application do not stand or fall 
together. Claims 1 through 9, 1 1 through 13, and 21 ("Group I") stand or fall together. Also, claims 
14, 15, and 17 through 20 ("Group II") stand or fall together. 

These groupings are appropriate under 37 C.F.R. § 1.192(c)(7). While the Final Office 
Action rejects all pending claims under the same rationale, stating: "Claims 14-15, 17-20 are 
apparatus claims to implement the method of claims 1-9, 11-13, and are similar in scope and 
content, and are rejected under similar rationale" (last paragraph on page 4 of the Final Office 
Action), this appears to be an error in the Final Office Action. The sweeping statement quoted 
above ignores both the "logon request" and the "logon server" elements of claim 14, elements not 
found in claim 1 . The importance of these elements is discussed in the argument below. 

VIII. Argument 

To present a prima facie case of obviousness under 35 U.S.C. § 103(a), the cited references 
must, either separately or in combination, suggest or teach all of the elements of the rejected claims. 
See the Manual of Patent Examining Procedure § 2143. 

Applicant respectfully submits that the Final Office Action has failed to establish a prima 
facie case of obviousness because the combination of cited references neither teaches nor suggests 
all of the elements of the rejected claims. Therefore, reconsideration and allowance of claims 1 
through 9, 1 1 through 15, and 17 through 21 are respectfully solicited. 

A. The Rejections 

The Final Office Action dated May 21, 2003, rejected all pending claims under 35 U.S.C. 
§ 103(a) as obvious over a combination of Kanevsky and Engelke. 

Kanevsky teaches a method for authenticating a user's identity by challenging the user and 
then comparing the user's vocal responses with vocal responses stored in a database. However, 
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Kanevsky' s is a pure voice system and, as the Final Office Action pointed out, Kanevsky does not 
"specifically teach the dual-access communication interface supporting both data calls and voice 
calls over a same physical input." See the Final Office Action, page 3, lines 6-8. In terms of the 
pending independent claims 1,14, and 21, the Final Office Action admitted that Kanevsky does not 
teach the emphasized elements: 

Claim 1 : A method for authenticating a user for access to a computer network 
via a network access server including a dual-access communications 
interface supporting both data calls and voice calls over a same 
physical input, the method comprising the steps of: 

receiving, via the dual-access communications interface, a 
user identification from a user seeking access to the computer 
network via the dual-access communications interface; 

issuing a variable challenge query; 

receiving, via the dual-access communications interface, a 
voice response to the challenge query; and 

selectively logging the user onto the computer network based 
upon a determination of whether the voice response to the challenge 
meets a matching standard with reference to a stored voice sample 
sequence, wherein the voice sample sequence corresponds to the user 
identification and the challenge query. 

(Emphasis added.) (Claim 21 is a computer-readable medium or "Beauregard" counterpart to claim 
1 and contains language identical to that of claim 1. Claim 14 is an apparatus claim with somewhat 
similar language that the Final Office Action cursorily rejected. See Section VIII.C below.) 

To supply Kanevsky 's admitted lack of disclosure of these recited claim elements, the Final 
Office Action turns to Engelke. Engelke teaches a device that can either be used as a traditional, 
analog voice telephone or as a Telecommunication Device for the Deaf ("TDD"). TDDs typically 
incorporate both a keyboard and an alphanumeric display and communicate over traditional, analog 
telephone lines. Hearing impaired people use TDDs to send text messages to each other in lieu of 
making voice telephone calls. Based on the dual functionality of Engelke's device, the Final Office 
Action considered that Engelke teaches a "dual-access communications interface." The Final Office 
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Action then presented the combination of Kanevsky and Engelke as teaching all the elements of the 
pending claims. 

B. The Final Office Action Failed to Establish a Prima Facie Case of Obviousness 
with Respect to the Claims of Group I 

The combination of Kanevsky and Engelke does not teach the final element of the 
independent claims of Group I, that is, of claims 1 and 21: "selectively logging the user onto the 

computer network " While Kanevsky authenticates a user, neither Kanevsky nor Engelke teach 

using that authentication as a basis for logging the user onto a computer network. The Final Office 
Action cited Kanevsky, column 3, lines 25-50, for this element, but Kanevsky there discusses only 
"permitting access to a service or facility" rather than the claimed "logging onto the computer 
network." Indeed, Kanevsky merely recites an authentication process but does not further disclose 
establishing a "user" within a network based upon the authentication of the user's voice. Because it 
did not show a combination that also teaches this element, the Final Office Action failed to present a 
prima facie rejection of claims 1 and 21 . Therefore, these claims should be allowed. 

The other claims in Group I, that is, claims 2 through 9 and 1 1 through 13, all depend upon 
claim 1 and are thus allowable for at least the same reasons that claim 1 is allowable. 

In addition, claims 3 through 9 add refinements to the logging on element of claim 1 . As the 
cited combination of Kanevsky and Engelke does not even teach logging on, it certainly does not 
disclose these additional refinements. 

Specifically, the "network security server" of claim 3 that receives a user identification and 
password is nowhere to be found in the cited art. 

Similarly, claims 4 and 5 discuss receiving authentication credentials for a user who is 
already logged on. The cited portion of Kanevsky deals only with the authentication process itself 
and does not discuss authentication credentials received afterward. 

Claim 5's authentication proxy that carries out requests on behalf of the authenticated user is 
not found in the cited art. The Final Office Action's rejection of claim 5 is puzzling: The art cited 
against claim 5 (Kanevsky, column 8, lines 37-55) merely discloses an alternate enrollment 
procedure for a user having a voice that has not yet been characterized. Neither in this portion of 
Kanevsky, nor anywhere in the cited art, is an authentication proxy discussed. 
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The rejection of claim 6 is similarly puzzling. Claim 6 describes a notification of a 
successful logon attempt plus an application executed "in accordance with vocal commands 
received by the dual-access communications interface " No such notification and no such 
application appear in the cited art. Strangely, the same portion of Kanevsky was cited against claim 
6 as was cited against claim 5. That cited portion is no more appropriate here than there. 

Finally, the application executed in claim 6 is further characterized as a "personal interactive 
voice response application" in claim 7, as a "distributed conference bridge" in claim 8, and as an 
"instant message application" in claim 9. Nowhere does Kanevsky or Engelke disclose these 
applications. 

C. The Final Office Action Failed to Establish Prima Facie Case of Obviousness 
with Respect to the Claims of Group II 

The Final Office Action's rejection of the claims of Group II was very cursory and merely 
analogized these claims to those of Group I without performing any further analysis or citing 
particular sections in Kanevsky or Engelke. In its totality, the rejection reads: "Claims 14-15, 17-20 
are apparatus claims to implement the method of claims 1-9, 11-13, and are similar in scope and 
content, and are rejected under similar rationale." The Final Office Action, page 4, final paragraph. 

The combination of Kanevsky and Engelke does not teach at least the following highlighted 
elements of the sole independent claim of Group II: 

Claim 14: A system for authenticating a user for access to a computer network, 
the system comprising: 

a network access server . . . issuing a logon request, 
including a user identification and password, on behalf of an 
authenticated user determined by the comparison of the received 
response to the stored voice sample sequence; 

a logon server coupled to the network access server and 
configured to receive the user identification and password from the 
network access server and in response providing a set of 
corresponding credentials for use by an application proxy. 
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(Emphasis added.) As explained above with respect to the claims of Group I, while Kanevsky 
authenticates a user, neither Kanevsky nor Engelke teach using that authentication as a basis for 
"issuing a logon request" to log the user onto a computer network. Kanevsky merely recites an 
authentication process but does not further disclose establishing a ct user" within a network based 
upon the authentication of the user's voice. Further, the combination of Kanevsky and Engelke does 
not show a "logon server" that receives the "user identification and password" and nowhere 
discusses security "credentials" of the authenticated user. Finally, as with claim 5 above, the cited 
art does not disclose an "application proxy." Clearly, the Final Office Action did not show a 
combination that teaches these elements, and therefore the Final Office Action failed to present a 
prima facie rejection of claims 14. Therefore, this claim should be allowed. 

The other claims in Group II, that is, claims 15 and 17 through 20, all depend upon claim 14 
and are thus allowable for at least the same reasons that claim 14 is allowable. 

Further, pending claims 17 through 19 include the element of a "voice applications server." 
Kanevsky does not disclose this voice applications server, nor does it mention the particular voice 
applications recited in claims 18 ("personal interactive voice response application") and 19 
("distributed conference bridge"). 

Finally, the cited art nowhere discloses or suggests claim 14's "electronic personal assistant 
platform." 

Conclusion 

In view of the above, applicant submits that the Final Office Action failed to establish that 
claims 1 through 9, 11 through 15, and 17 through 21 are obvious in light of the cited art. 
Accordingly, these claims should be allowable, and applicant respectfully solicits the Board to 
consider this Appeal, to remove the outstanding grounds of rejection, and to allow claims 1 through 
9, 1 1 through 15, and 17 through 21. 



11 



In re Application of: Loveland 
Application No.: 09/502,515 



Date: May 17, 2004 



Respectfully submitted, 

John T. Bretscher, Reg. No. 52,651 
One of the Attorneys for Applicant 
LEYDIG, VOIT & MAYER, LTD. 
Two Prudential Plaza, Suite 4900 
180 North Stetson 
Chicago, Illinois 60601-6780 
(312)616-5600 (telephone) 
(312)616-5700 (facsimile) 



12 



In re Application of: Loveland 
Application No.: 09/502,5 1 5 



Appendix: The Claims on Appeal 

1 . A method for authenticating a user for access to a computer network via a network access 
server including a dual-access communications interface supporting both data calls and 
voice calls over a same physical input, the method comprising the steps of: 

receiving, via the dual-access communications interface, a user identification 
from a user seeking access to the computer network via the dual-access communications 
interface; 

issuing a variable challenge query; 

receiving, via the dual-access communications interface, a voice response to the 
challenge query; and 

selectively logging the user onto the computer network based upon a 
determination of whether the voice response to the challenge meets a matching standard 
with reference to a stored voice sample sequence, wherein the voice sample sequence 
corresponds to the user identification and the challenge query. 

2. The method of claim 1 wherein the variable challenge query is selected from a set of 
potential queries, the variable challenge query determined in a manner such that the user 
cannot determine, in advance of the issuing step, the challenge query. 

3. The method of claim 1 wherein the logging on procedure comprises submitting a stored 
computer network user identification and password by the network access server to a 
network security server. 

4. The method of claim 3 further comprising the step of receiving, in response to the 
submitting step, a set of credentials for a logged on user. 

5. The method of claim 4 further comprising the step of creating an application proxy 
having the set of credentials for the logged on user, the application proxy carrying out 
requests on behalf of the user seeking access to the computer network. 

6. The method of claim 3 further comprising the steps of receiving a notification of 
successful logging onto the computer network and thereafter executing an application in 
accordance with vocal commands received by the dual-access communications interface. 
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7. The method of claim 6 wherein the application comprises a personal interactive voice 
response application. 

8. The method of claim 6 wherein the application comprises a distributed conference bridge. 

9. The method of claim 6 wherein the application comprises an instant messaging 
application. 

11. The method of claim 1 wherein the challenge query is a request to repeat a phrase 
transmitted by the dual-access communications interface. 

12. The method of claim 1 1 wherein the phrase transmitted by the dual-access 
communications interface is generated by a text to speech synthesizer based upon 
alphanumeric values. 

13. The method of claim 1 wherein the challenge query is a question for which a 
corresponding vocal response has been recorded in an authentication database entry 
keyed to an identified user and the question. 
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14. A system for authenticating a user for access to a computer network, the system 
comprising: 

a user authentication database including for each registered user: 
an identification, and 

a set of vocal samples corresponding to the identification; 

a network access server, including a dual-access communications interface 
supporting both data calls and voice calls over a same physical input, for receiving a user 
identification from a user seeking authentication via the dual-access communications 
interface, issuing a variable challenge query, comparing a received response to the 
challenge query to a stored voice sample sequence corresponding to the user 
identification and the challenge query, and issuing a logon request, including a user 
identification and password, on behalf of an authenticated user determined by the 
comparison of the received response to the stored voice sample sequence; 

a logon server coupled to the network access server and configured to receive the 
user identification and password from the network access server and in response 
providing a set of corresponding credentials for use by an application proxy. 

15. The system of claim 14 wherein the variable challenge query is obtained from a set of 
potential queries wherein the variable challenge query is determined in a manner such 
that a user cannot determine, in advance of issuing the challenge query, the challenge 
query. 

17. The system of claim 14 further comprising a voice applications server supporting a set of 
voice applications. 

18. The system of claim 17 wherein the voice applications include a personal interactive 
voice response application. 

19. The system of claim 17 wherein the voice applications include a distributed conference 
bridge. 

20. The system of claim 14 further comprising an electronic personal assistant platform 
supporting an extensible set of voice accessed applications. 
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21. A computer-readable media including computer-executable instructions for performing a 
set of steps for authenticating a user for access to a computer network via a network 
access server including a dual-access communications interface supporting both data calls 
and voice calls over a same physical input, the steps including: 

receiving, via the dual-access communications interface, a user identification 
from a user seeking access to the computer network via the dual-access communications 
interface; 

issuing a variable challenge query; 

receiving, via the dual-access communications interface, a voice response to the 
challenge query; and 

selectively logging the user onto the computer network based upon a 
determination of whether the voice response to the challenge meets a matching standard 
with reference to a stored voice sample sequence, wherein the voice sample sequence 
corresponds to the user identification and the challenge query. 
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